Abstract
Security requirements are known to be “the most difficult of requirements types” and potentially the ones causing the greatest risk if they are not correct. One approach to requirements elicitation is based on the reuse of explicit knowledge. AMAN-DA is a requirement elicitation method that reuses encapsulated knowledge in security and domain ontologies to produce security requirements specifications. The main research question addressed in this paper is to what extent is AMAN-DA able to generate domain-specific security requirements? Following a well-documented process, a case study related to the maritime domain was undertaken with the goal to demonstrate the utility and effectiveness of AMAN-DA for the elicitation and analysis of domain-specific security requirements. The usefulness of the method was also evaluated with a group of 12 experts. The paper demonstrates the elicitation of domain-specific security requirements by presenting the AMAN-DA method and its application. It describes the evaluation and reports some significant results and their implications for practice and future research, especially for the field of knowledge reuse in requirements engineering.
Similar content being viewed by others
Notes
AMAN () is the Arabic word for security. DA is for domain of application. The name was chosen to refer to security requirements engineering for domains of application.
The interview instrument can be consulted on this link: https://www.dropbox.com/s/34nb8d4xo4hwuc8/Interview%20instrument.pdf?dl=0.
References
Mayer N (2012) Model-based management of information system security risk. Presses universitaires de Namur
Fenz S, Ekelhart A (2009) Formalizing information security knowledge. In Proceedings of the 4th international symposium on information, computer, and communications security, ASIACCS’09. ACM, New York, NY, USA, pp 183–194
Haley CB, Laney R, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153
Tondel IA, Jaatun MG, Meland PH (2008) Security requirements for the rest of us: a survey. Softw IEEE 25(1):20–27
Meier JD (2006) Web application security engineering. Secur Priv IEEE 4(4):16–24
Firesmith DG (2004) Specifying reusable security requirements. J Object Technol 3(1):61–75
Zuccato A, Daniels N, Jampathom C (2011) Service security requirement profiles for telecom: how software engineers may tackle security. In: The sixth international conference on availability, reliability and security (ARES’11), pp 521–526. doi:10.1109/ARES.2011.81
Salinesi C, Ivankina E, Angole W (2008) Using the RITA threats ontology to guide requirements elicitation: an empirical experiment in the banking sector. In: The first international workshop on managing requirements knowledge, 2008, MARK’08, pp 11–15
Velasco JL, Valencia-Garcia R, Fernandez-Breis JT, Toval A (2009) Modelling reusable security requirements based on an ontology framework. J Res Pract Inf Technol 41(2):119
Souag A, Salinesi C, Comyn-Wattiau I, Mouratidis H (2013) Using security and domain ontologies for security requirements analysis. In: Computer software and applications conference workshops (COMPSACW), pp 101–107
Souag A (2012) Towards a new generation of security requirements definition methodology using ontologies. In: CAiSE, Gdansk, Poland, pp1–8
Runeson P, Host M, Rainer A, Regnell B (2012) Case study research in software engineering: guidelines and examples, 1st edn. Wiley, Hoboken
Souag A, Mazo R, Salinesi C, Comyn-Wattiau I (2015) Reusable knowledge in security requirements engineering: a systematic mapping study. Requir Eng J 21(2):251–283
Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J Manag Inf Syst 24(3):45–77
Souag A, Salinesi C, Comyn-Wattiau I (2012) Ontologies for security requirements: a literature survey and classification. In: Advanced information systems engineering workshops. Springer, Berlin, pp 61–69
Souag A, Salinesi C, Mazo R, Comyn-Wattiau I (2015) A security ontology for security requirements elicitation. In: Piessens F, Caballero J, Bielova N (eds) Engineering Secure Software and Systems (ESSoS), Milan, Italy. Springer, Cham, pp 157–177
Eisenhardt KM (1989) Building theories from case study research. Acad Manag Rev 14(4):532–550
Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(02):285–309
Mouratidis H (2011) Secure software systems engineering: the secure tropos approach. JSW 6(3):331–339
Secure and Dependable Software Systems. University of Brighton. Modelling method conceptualisation within OMiLab: the secure tropos approach. May 2017. http://vienna.omilab.org/repo/files/T-SecTr/2017-05-12%20RCIS%202017%20SecureTroposTutorial.pdf
Bjørner D (2010) Rôle of domain engineering in software development—why current requirements engineering is flawed! In: Pnueli A, Virbitskaite I, Voronkov A (eds) Perspectives of systems informatics. Springer, Berlin, pp 2–34
Kaiya H, Saeki M (2006) Using domain ontology as domain knowledge for requirements elicitation. In: The 14th IEEE international conference on requirements engineering, pp 189–198
Rupp C, Simon M, Hocker F (2009) Requirements engineering und management. HMD Praxis der Wirtschaftsinformatik 46(3):94–103
Prat N, Comyn-Wattiau I, Akoka J (2015) A taxonomy of evaluation methods for information systems artifacts. J Manag Inf Syst 32(3):229–267
Checkland P, Scholes J (1990) Soft systems methodology in action. Wiley, Chichester
Venable J, Pries-Heje J, Baskerville RA (2012) Comprehensive framework for evaluation in design science research. In: Salinesi C, Peffers K, Rothenberger M, Kuechler B (eds) Proceedings of the seventh international conference on design science research in information systems and technology (DESRIST 2012). Springer, Las Vegas, pp 423–438
Gregor S, Hevner AR (2013) Positioning and presenting design science research for maximum impact. MIS Q 37(2):337–355
Belmont Kate B Maritime cyber attacks: changing tides. Last modified Nov 2015. http://maritime-executive.com/blog/maritime-cyber-attacks-changing-tides
Paganini P Hacking ships: maritime shipping industry at risk. Last modified March 31, 2015. http://securityaffairs.co/wordpress/35504/hacking/hacking-maritime-shipping-industry.html
Fitton O, Prince D, Germond B, Lacy M (2015) The future of maritime cyber security. Lancaster University, Lancaster, p 36
Inetrnational Maritime Organization (1974) International convention for the safety of life at sea (SOLAS)
International Maritim Organization (2011) ISPS code
Chebli AS (2009) La piraterie maritime au début du XXième siecle: panorama, modes opératoires et solutions. Mémoire pour le DU Analyse des menaces contemporaines
Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 13(3):319–340
EBIOS Secrétariat Général De la Défense Nationale (2004) EBIOS-Expression des Besoins et Identification des Objectifs de Sécurité. http://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/
Requirements Working Group (2012) International council on systems engineering (INCOSE), guide for writing requirements, INCOSE
Palomares C, Franch X, Quer C (2014) Requirements reuse and patterns: a survey. In: International working conference on requirements engineering: foundation for software quality. Springer, Cham, pp 301–308
Farfeleder S, Moser T, Krall A, Stålhane T, Zojer H Panis C (2011) DODT: increasing requirements formalism using domain ontologies for improved embedded systems development. In: Design and diagnostics of electronic circuits and systems (DDECS), 2011 IEEE 14th international symposium on. IEEE, pp 271–274
Ruhroth T, Gärtner S, Bürger J, Jürjens J, Schneider K (2014) Towards adaptation and evolution of domain-specific knowledge for maintaining secure systems. In: Product-focused software process improvement. Springer, pp 239–253
Naudet Y, Mayer N, Feltus C (2016) Towards a systemic approach for information security risk management. In: Availability, reliability and security (ARES), 2016 11th international conference on. IEEE, pp 177–186
Acknowledgements
Authors would like to thank Dr. Zeinab Hmedeh for her valuable help during the development of the AMAN-DA tool and Prof. Bénédicte le Grand for her fruitful discussions and feedbacks all over the AMAN-DA project.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Souag, A., Mazo, R., Salinesi, C. et al. Using the AMAN-DA method to generate security requirements: a case study in the maritime domain. Requirements Eng 23, 557–580 (2018). https://doi.org/10.1007/s00766-017-0279-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-017-0279-5